18.10.01
Ian, I've been checking ShaoQi and yours. Both b2s suffered from the usual sign of unChModness of the template file.
To elaborate a bit on the permissions, most webservers actually run as "nobody". So cheking for perm 770 might never work unless the webserver is set to run as the logged user of the server or an user in an usergroup of this server. Both solutions are likely to provoke security holes and indiscrete peeking, this is why they're runned as "nobody". Someone comment me if I'm wrong, please.
Therefore, you've got to check for the permission for 'owner','group', but also 'others', which means checking each is set to 6 (read+write) or more (7, aka read+write+execute). And checking for >= 666 wouldn't help either. After all, 700 is more than 666 but makes a file accessible only to its owner...
To elaborate a bit on the permissions, most webservers actually run as "nobody". So cheking for perm 770 might never work unless the webserver is set to run as the logged user of the server or an user in an usergroup of this server. Both solutions are likely to provoke security holes and indiscrete peeking, this is why they're runned as "nobody". Someone comment me if I'm wrong, please.
Therefore, you've got to check for the permission for 'owner','group', but also 'others', which means checking each is set to 6 (read+write) or more (7, aka read+write+execute). And checking for >= 666 wouldn't help either. After all, 700 is more than 666 but makes a file accessible only to its owner...
2 comments
:: comments
ian - email - url
hey, why didn't i think about that? i've been doing all kinds of strange things like chmoding my index.php and templates.php.
and no, security holes are not likely. they are only definite to happen if stuff is chmoded to 777, which happens to be world-writable (i think), and CGI scripts of any language would thus be able to take advantage.
because, of course, the last digit refers to world privelleges -- and on a UNIX system a user STILL requires a password, so 770 should be pretty safe.
18.10.01 @ 11:13:10 675
ian - email - url
oh yeah, and 776 is also like 777, just that there's no execute permission.
18.10.01 @ 11:15:48 677
:: leave a comment